When we book a computer into our workshop we use a paper form which includes a box for the password for the computer we are going to work on. Often we may also need the password for the customer’s email account – and we’ll either hack that using a tool called Mail PassView or ask the customer for it if we need to.
I’ve never really thought about the security implications of this process as I trust my staff implicitly, however we do intentionally keep the password off the database system as it’s pretty hard to hack a piece of paper, and once we are done with the worksheet this can be either filed under lock and key, or shredded and pulped.
If the customer is concerned about their security they have the option of changing the password afterwards, but in practice I’m sure very few bother as it’s not always easy to manage, particularly now you have to change it on all your mobile devices too.
One of the big changes in Windows 8 is the reliance on a Windows Live ID, which is often associated with the customer’s main email account. The implication is that we now need the email password to do pretty much anything on the computer, including tasks such as installing Office 2013 which must be linked to a Live ID account.
Whereas before a single password would give limited access to a system, with cloud services and Windows Live ID integrating with everything, it’s a case of one password to rule them all. In many ways this is great as Microsoft have long been the champions of a single authentication for everything, but as soon as you need to give your password to a third party for essential work to be carried out this model presents a huge security risk.
What does this mean for the average Windows 8 user? Well for starters you need to be able to trust your technical support as never before, as now they get access to everything. Suddenly that shady PC repair shop on the corner with the second hand laptops and the phone unlocking sign in the window isn’t looking so attractive is it?
One of the problems with our industry is that there’s very little regulation – the organisations that claim to act as trade associations are mostly just glorified social clubs who would much rather organise another members’ golf day than actually get involved in policing their members. It’s left to organisations such as the council run Trading Standards Officers to weed out the bad boys
In some ways this is good news for us as we work to defined procedures which include DBS (previously CRB) checking our employees. We also have excellent relations with our local Trading Standards team and have assisted them in bringing some of the less reputable operations in our borough to account.
However I do sometimes feel that companies like ours are in the minority – I can count on the fingers of one hand the other companies in our sector that I’d confidently recommend. When it comes to handing over your entire on-line identity what is really needed is something like a valet key, which are commonly employed in the US where valet parking is everywhere. This is a clever little key that allows the valet to drive the car and lock the door, but not to open the boot, for example, and some even turn off the engine if the car travels more than a short distance.
If Microsoft allowed a temporary service account password to be created that worked alongside the main Live ID this would provide an elegant solution to the problem. It could be configured to automatically expire after a set number of days, and could include features such as allowing the ‘valet’ to see email headers, but not open them to read the full content. So there in a nutshell is both the problem and a solution. Over to you Microsoft.